jarvis/dd0c
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
133 Commits 1 Branch 0 Tags
5792f95d7cbe0572854e5f371b63ed277581df07
Commit Graph

8 Commits

Author SHA1 Message Date
Max Mayfield
5792f95d7c Fix BMad adversarial security review findings
Some checks failed
CI — P2 Drift (Go + Node) / agent (push) Successful in 47s
Details
CI — P2 Drift (Go + Node) / saas (push) Successful in 36s
Details
CI — P3 Alert / test (push) Successful in 36s
Details
CI — P4 Portal / build-push (push) Failing after 49s
Details
CI — P5 Cost / build-push (push) Failing after 4s
Details
CI — P6 Run / build-push (push) Failing after 4s
Details
CI — P4 Portal / test (push) Successful in 35s
Details
CI — P5 Cost / test (push) Successful in 40s
Details
CI — P6 Run / saas (push) Successful in 36s
Details
CI — P2 Drift (Go + Node) / build-push (push) Failing after 17s
Details
CI — P3 Alert / build-push (push) Failing after 15s
Details 
Resolves 11 of the 13 findings:
- [CRITICAL] SQLi in RLS: replaced SET LOCAL with parameterized set_config()
- [CRITICAL] Rate Limiting: installed and registered @fastify/rate-limit in all 5 apps
- [CRITICAL] Invite Hijacking: added email verification check to invite lookup
- [HIGH] Webhook HMAC: added Fastify rawBody parser to fix JSON.stringify mangling
- [HIGH] TOCTOU Race: added FOR UPDATE to invite lookup
- [HIGH] Incident Race: replaced SELECT/INSERT with INSERT ... ON CONFLICT
- [MEDIUM] Grafana Timing Attack: replaced === with crypto.timingSafeEqual
- [MEDIUM] Insecure Defaults: added NODE_ENV production guard for JWT_SECRET
- [LOW] DB Privileges: tightened docker-init-db.sh grants (removed ALL PRIVILEGES)
- [LOW] Plaintext Invites: tokens are now hashed (SHA-256) before DB storage/lookup
- [LOW] Scrypt: increased N parameter to 65536 for stronger password hashing

Note:
- Finding #4 (Fragmented Identity) requires a unified auth database architecture.
- Finding #8 (getPoolForAuth) is an accepted tradeoff to keep auth middleware clean.
 2026-03-03 00:14:39 +00:00
Max Mayfield
eb953cdea5 Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks
Some checks failed
CI — P2 Drift (Go + Node) / agent (push) Successful in 43s
Details
CI — P2 Drift (Go + Node) / saas (push) Failing after 5s
Details
CI — P3 Alert / test (push) Failing after 4s
Details
CI — P4 Portal / test (push) Failing after 4s
Details
CI — P5 Cost / test (push) Failing after 4s
Details
CI — P6 Run / saas (push) Failing after 5s
Details
CI — P2 Drift (Go + Node) / build-push (push) Failing after 7s
Details
CI — P3 Alert / build-push (push) Has been skipped
Details
CI — P4 Portal / build-push (push) Has been skipped
Details
CI — P5 Cost / build-push (push) Has been skipped
Details
CI — P6 Run / build-push (push) Failing after 5s
Details 
Phase 1 (Security Critical):
- Auth plugin encapsulation: replaced global addHook with Fastify plugin scope
- Removed startsWith URL matching; public routes registered outside auth scope
- JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion)
- Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead
- withTenant() remains primary tenant-scoped query path

Phase 2 (Infrastructure):
- docker-compose.yml: all secrets via env var substitution (${VAR:-default})
- Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh
- .env.example with all configurable secrets
- build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded
- .gitignore excludes .env files
- @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup
- CORS_ORIGIN default changed from '*' to 'http://localhost:5173'

Phase 3 (Product):
- Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id
- Signup accepts optional invite_token to join existing tenant
- Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue

Console:
- All 5 product modules wired: drift, alert, portal, cost, run
- PageHeader accepts children prop
- 71 modules, 70KB gzipped production build

All 6 projects compile clean (tsc --noEmit).
 2026-03-02 23:53:55 +00:00
Max Mayfield
5bad2481ae Add /version endpoint to all products + BUILD_SHA/BUILD_TIME in Dockerfiles
Some checks failed
CI — P2 Drift (Go + Node) / saas (push) Successful in 34s
Details
CI — P2 Drift (Go + Node) / build-push (push) Failing after 4s
Details
CI — P3 Alert / build-push (push) Failing after 3s
Details
CI — P6 Run / saas (push) Successful in 23s
Details
CI — P4 Portal / build-push (push) Failing after 2s
Details
CI — P2 Drift (Go + Node) / agent (push) Successful in 17s
Details
CI — P3 Alert / test (push) Successful in 21s
Details
CI — P5 Cost / test (push) Successful in 24s
Details
CI — P4 Portal / test (push) Successful in 38s
Details
CI — P5 Cost / build-push (push) Failing after 3s
Details
CI — P6 Run / build-push (push) Failing after 2s
Details
2026-03-02 13:53:15 +00:00
Max Mayfield
27a89ee2b7 Trigger CI with tsc fix
Some checks failed
CI — P2 Drift (Go + Node) / agent (push) Failing after 3s
Details
CI — P2 Drift (Go + Node) / saas (push) Successful in 29s
Details
CI — P3 Alert / test (push) Successful in 40s
Details
CI — P4 Portal / test (push) Successful in 32s
Details
CI — P6 Run / saas (push) Successful in 30s
Details
CI — P5 Cost / test (push) Successful in 46s
Details
2026-03-01 06:56:00 +00:00
Max Mayfield
3e68e8871d Trigger CI for P2-SaaS, P4, P5, P6
Some checks failed
CI — P2 Drift (Go + Node) / agent (push) Failing after 1s
Details
CI — P4 Portal / test (push) Failing after 17s
Details
CI — P5 Cost / test (push) Failing after 15s
Details
CI — P6 Run / saas (push) Failing after 15s
Details
CI — P2 Drift (Go + Node) / saas (push) Successful in 43s
Details
2026-03-01 06:52:14 +00:00
Max Mayfield
68140881e0 Trigger CI for P3-P6 Node products
Some checks failed
CI — P3 Alert / test (push) Failing after 15s
Details
CI — P4 Portal / test (push) Failing after 19s
Details
CI — P5 Cost / test (push) Failing after 17s
Details
CI — P6 Run / saas (push) Failing after 18s
Details
2026-03-01 06:43:58 +00:00
Max Mayfield
f2e0a32cc7 Wire auth middleware into all products, add docker-compose and init-db script 
- Auth middleware (JWT + API key + RBAC) copied into P3/P4/P5/P6
- All server entry points now register auth hooks + auth routes
- Webhook and Slack endpoints skip JWT auth (use HMAC/signature)
- docker-compose.yml: shared Postgres + Redis + Meilisearch, all 4 Node products as services
- init-db.sh: creates per-product databases and runs migrations
- P1 (Rust) and P2 (Go agent) run standalone, not in compose
 2026-03-01 03:10:35 +00:00
Max Mayfield
4957946d29 Flesh out dd0c/cost: ingestion with Welford optimistic locking, anomaly API, governance, baselines 
- Ingestion API: batch cost events, Welford baseline update with optimistic locking (version column), anomaly detection inline
- Anomaly API: list (filtered), acknowledge, snooze (1-168h), mark expected, dashboard summary with hourly trend
- Governance API: mode status, promotion eligibility check with FP rate calculation
- Baseline API: list with computed stddev, reset per resource
- Data layer: withTenant() RLS wrapper, Zod config with ANOMALY_THRESHOLD
- Fastify server entry point
 2026-03-01 03:07:02 +00:00